KeyRaider Compromised More Than 225K Apple Accounts

A sophisticated malware which targets to steal Apple accounts from modified iOS devices has alarmed the IT community recently. A report from Palo Alto Networks reveals that more than 225 Apple credentials have been stolen using this malware. The malware is named KeyRaider and it allows attackers to download applications from Apple’s App Store for free or to lock devices in exchange for a ransom.

“We believe this to be the largest known Apple account theft caused by malware,” declared Claud Xiao of Palo Alto Networks on his blog post. On the 26th of August 2015, Palo Alto Networks informed Apple regarding KeyRaider and gave them the details of the stolen accounts information, Xiao added. Although Apple officials in Sydney could not be reached right away, they tried to employ other means to get the message across as soon as possible and had successfully informed them the following day.

Only “jailbroken” Apple device can be infected by KeyRaider. Jailbreaking is a process or procedure, which removes Apple’s protections that restricts what applications can be installed in an Apple device. Apple warns the public against the security vulnerabilities of jailbreaking.

WeipTech, a new technical organization in China helps investigate KeyRaider with the help of Palo Alto Networks. According to Xiou, a student at Yangzhou University and a member of the said new organization discovered the attack.

KeyRaider can be spread by integrating it into software packages or incorporating the latter in jailbreak tweaks that permit some new functions to be run on iOS. This malware is found within tweaks as revealed on the Weiphone forum that talks about jailbroken phones.

Palo Networks explained that additional information regarding this matter also discloses that the suspected user goes by the username “mischa07” on Weiphone. He or she is responsible for seeding KeyRaider to his / her personal apps repository. Similar username was also hardcoded into Key Raider that serves as the encryption and decryption key for the said malware.

A thorough evaluation of mischa07’s repository reveals that the user has uploaded numerous tweaks to Weiphone, which included cheat on games, stripping of advertisements from apps and tuning their systems.

Cydia, an application that is utilised for downloading applications for jailbroken phones, is being tapped by KeyRaider to be able to hack within its system processes. It snips Apple account passwords and usernames, and intercepts users’ iTune login credentials, which it can then operate to fraudulently download apps. Aside from these breaches of security, this malware also collects private keys, purchase receipts and certificates.

Another kind of attack has also been noted by Xiao. He said that KeyRaider was used for a ransomware attempt – at least one has been recorded. The malware can “locally disable any kind of unlocking operations, whether the correct passcode or password has been entered,” Xiao wrote. One person reported that his phone was locked and showed a message to contact someone over the QQ instant messaging service.

The account information that were stolen were unearthed by WeipTech on a command-and-control server, which links with KeyRaider-infested device. The said server has security issues prompting KeyRaider authors to know that something was going on. Thus, only half of the stolen accounts were recovered by WeipTech before the attacker fixed the vulnerability. WeipTech now serves as a service that can be used by users to be notified if their account has been compromised.

House of IT, a managed IT services Australia, has researched further on other possible vulnerabilities that can possibly be attacked by this malware or any other viruses that can affect the business of their customers. The company IT experts are everyday innovating their techniques for preventions.